Since drop_invalid has been turned on by default, ICMPv6 echo requests to well-known multicast addresses, such as ff02::1, are not replied to by the router anymore, because conntrack considers those outgoing reply packets to be invalid.
Fix this by not having the INVALID rule in the OUTPUT chain match IPv6 packets destined to link-local addresses (fe80::/10). Signed-off-by: Vittorio Gambaletta <open...@vittgam.net> --- diff --git a/defaults.c b/defaults.c index 3d210f9..ea905e0 100644 --- a/defaults.c +++ b/defaults.c @@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, "FORWARD", "forwarding", }; + struct fw3_address mcdst = { + .set = true, + .invert = true, + .family = FW3_FAMILY_V6, + .address.v6.s6_addr = { 0xfe, 0x80 }, + .mask.v6.s6_addr = { 0xff, 0xc0 }, + }; + switch (handle->table) { case FW3_TABLE_FILTER: @@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, if (defs->drop_invalid) { r = fw3_ipt_rule_new(handle); + if (i == 2 && handle->family == FW3_FAMILY_V6) + fw3_ipt_rule_src_dest(r, NULL, &mcdst); fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID"); fw3_ipt_rule_target(r, "DROP"); fw3_ipt_rule_append(r, chains[i]); _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel